CVE-2026-8193: Akaunting SSRF Vulnerability

CVE-2026-8193 Overview

CVE-2026-8193 is a Server-Side Request Forgery (SSRF) vulnerability in Akaunting 3.1.21, an open-source accounting application. The flaw resides in the config/dompdf.php file used by the Invoice PDF Rendering component [CWE-918]. An authenticated remote attacker can manipulate processing within this configuration to coerce the server into issuing arbitrary outbound requests. The exploit is publicly available. According to VulDB, the vendor was contacted prior to disclosure but did not respond.

Critical Impact

An authenticated attacker can abuse the invoice PDF renderer to reach internal services, cloud metadata endpoints, or other resources reachable from the Akaunting server.

Affected Products

• Akaunting 3.1.21
• Component: Invoice PDF Rendering (config/dompdf.php)
• Deployments using the affected DOMPDF integration

Discovery Timeline

• 2026-05-09 - CVE-2026-8193 published to NVD
• 2026-05-11 - Last updated in NVD database

Technical Details for CVE-2026-8193

Vulnerability Analysis

The vulnerability affects Akaunting 3.1.21, specifically the Invoice PDF Rendering component implemented through DOMPDF and configured via config/dompdf.php. DOMPDF can fetch remote resources such as images and stylesheets referenced inside HTML content before rasterizing the document to PDF. When the configuration permits remote URL retrieval, attacker-controlled markup embedded in invoice data can cause the server to issue HTTP requests to URLs of the attacker's choosing. The vulnerability is classified under [CWE-918] Server-Side Request Forgery. The EPSS probability is 0.038%, reflecting low predicted exploitation likelihood, although a public exploit has been released.

Root Cause

The root cause is permissive remote resource fetching configured in config/dompdf.php. Options such as isRemoteEnabled allow DOMPDF to dereference arbitrary URLs encountered while rendering invoice HTML. The component does not restrict outbound request destinations to a safe allowlist, enabling requests to internal-only addresses.

Attack Vector

The attack vector is network-based and requires low-level authenticated privileges, consistent with a tenant user able to create or modify invoices. An attacker submits invoice content containing HTML elements that reference internal or sensitive URLs. When the server renders the invoice to PDF, it issues outbound requests to those URLs. Attackers can target loopback addresses, internal management interfaces, or cloud instance metadata services such as http://169.254.169.254/ to retrieve credentials or pivot deeper into the environment.

No verified exploit code is reproduced here. Technical details are available in the VulDB Vulnerability #362345 entry and the VulDB CTI report.

Detection Methods for CVE-2026-8193

Indicators of Compromise

• Outbound HTTP requests from the Akaunting application server to internal RFC1918 addresses or to 169.254.169.254 originating from the PHP worker process.
• Unexpected DNS lookups generated during invoice rendering for domains not associated with normal billing operations.
• Invoice records containing external <img>, <link>, or @import references pointing to private network ranges or metadata endpoints.

Detection Strategies

• Inspect web access and egress proxy logs for requests issued by the Akaunting host during PDF generation windows.
• Hunt within invoice and template tables for HTML content referencing internal hostnames, IPs, or metadata URLs.
• Correlate PHP dompdf rendering events with concurrent outbound connections that bypass the application's normal backend dependencies.

Monitoring Recommendations

• Forward egress firewall and proxy telemetry to a centralized analytics platform and alert on connections from application servers to metadata services.
• Monitor authenticated user actions that create or modify invoice content for anomalous URL patterns.
• Track DOMPDF rendering errors and timeouts, which often accompany SSRF probing attempts.

How to Mitigate CVE-2026-8193

Immediate Actions Required

• Disable remote resource loading in DOMPDF by setting isRemoteEnabled to false within config/dompdf.php.
• Restrict outbound network access from the Akaunting server using egress firewall rules that block private ranges and cloud metadata endpoints.
• Audit existing invoice and template records for embedded references to internal URLs.

Patch Information

No vendor patch has been published. VulDB reports that the maintainer of Akaunting did not respond to disclosure. Operators should apply the configuration hardening and network controls described below and monitor the VulDB advisory for updates.

Workarounds

• Override DOMPDF defaults to disable remote fetching and chroot rendering to a restricted directory.
• Place the Akaunting application behind an egress proxy that allowlists only required external destinations.
• On AWS workloads, enforce Instance Metadata Service Version 2 (IMDSv2) to prevent unauthenticated metadata retrieval via SSRF.

# config/dompdf.php hardening example
'defines' => [
    'DOMPDF_ENABLE_REMOTE' => false,
    'DOMPDF_ENABLE_PHP'    => false,
    'DOMPDF_CHROOT'        => storage_path('app/dompdf'),
],

# Egress restriction (iptables) blocking metadata and private ranges
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT